It all boil down to trust. He gave it to somebody he trust, who also have their stake in PayPal. If you couldn't even trust the General Legal Counsel of your company, a secrets key might not be the thing you needed to worry about then.
Risk mitigation is always about mitigating- making something harder or more impossible than something else. Nothing is perfect but some things are better.
But to what end? What more can you do with a printed envelop? ROT13 or Vignère that piece of text? Then write it with the Dancing Men alphabet?
The point is, you can only mitigate so much before it become an exercise in futility. The general counsel, if anybody, is the person that can actually bankrupt your company and get some nice money for himself using some legal tomfoolery. I doubt that if that was his intention, trying to decode a piece of base64 for a private key of the database would be the course of action that he would take.
The author was in a (then) startup. He had a sensitive document. He asked the Legal Counsel to keep hold of it and shred it after 1 days. And then forgot about it and went on and built more measure to defend against hacker, which is the more important threat actor here.
Know your threat model and expend your/your company limited resource on the things that matter.
